#!/usr/bin/env python

from esapi.core import ESAPI
from models import XSSRule, XSSContext, XSSAttack, Encoder
from django import escape as django_escape
    
all_rules = []

rule = XSSRule("RULE #0 - Never Insert Untrusted Data Except in Allowed Locations", "http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.230_-_Never_Insert_Untrusted_Data_Except_in_Allowed_Locations")

context = XSSContext("Only put untrusted data in the five approved locations! Not into a script:")
context.context_code = "0"
context.vulnerable_form = "<span>data<script>var i=??;</script></span>"

attack = XSSAttack("Use the current context")
attack.add_example("50;alert('xss0a')")
context.add_attack(attack)
rule.add_context(context)
all_rules.append(rule)

rule = XSSRule("RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content", "http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content")
rule.add_encoder(
    'esapi', 
    Encoder(
        "HTML entity encoding excluding space", 
        ESAPI.encoder().encode_for_html
    )
)
rule.add_encoder(
    'django', 
    Encoder(
        "5 character HTML entity encoding", 
        django_escape
    )
)

context = XSSContext("Normal Element Content, common attacks are:")
context.context_code = "1"
context.vulnerable_form = "<span>??</span>"

attack = XSSAttack("Inject down into script context by introducing a element")
attack.add_example("<script>alert('xss1a')</script>")
attack.add_example("<img src=1 onerror=alert('xss1b')>")
context.add_attack(attack)
rule.add_context(context)
all_rules.append(rule)

rule = XSSRule("RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes", "http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes")

rule.add_encoder(
    'esapi', 
    Encoder(
        "HTML entity encoding including space", 
        ESAPI.encoder().encode_for_html_attribute
    )
)
rule.add_encoder(
    'django', 
    Encoder(
        "5 character HTML entity encoding", 
        django_escape
    )
)

context = XSSContext("Unquoted Attribute, common attacks are:")
context.context_code = "21"
context.vulnerable_form = "<span class=??>test</span>"
attack = XSSAttack("Inject up to another attribute using whitespace characters (ASCII 9, 10, 11, 12, 13, 32)")
attack.add_example("dummy onmouseover=alert('xss2.1a')")
context.add_attack(attack)

attack = XSSAttack("Inject up to the containing HTML element with >")
attack.add_example("dummy><script>alert('xss2.1b')</script>")
context.add_attack(attack)
rule.add_context(context)

context = XSSContext("Quoted Attribute, common attacks are:")
context.context_code = "22"
context.vulnerable_form = "<span class=\"??\">test</span>"
attack = XSSAttack("Inject up to another attribute with \" or ' depending on what quotes were used")
attack.add_example("dummy\" onmouseover=\"alert('xss2.2a')")
context.add_attack(attack)

attack = XSSAttack("Inject up to the containing HTML element with \">")
attack.add_example("\"><script>alert('xss2.2b')</script><span class=\"")
context.add_attack(attack)
rule.add_context(context)
all_rules.append(rule)

rule = XSSRule("RULE #3 - JavaScript Escape Before Inserting Untrusted Data into HTML JavaScript Data Values", "http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.233_-_JavaScript_Escape_Before_Inserting_Untrusted_Data_into_HTML_JavaScript_Data_Values")

rule.add_encoder(
    'esapi', 
    Encoder(
        "Javascript escaping", 
        ESAPI.encoder().encode_for_javascript
    )
)
rule.add_encoder(
    'django', 
    Encoder(
        "5 character HTML entity encoding", 
        django_escape
    )
)

context = XSSContext("Unquoted value, common attacks are:\nNote that JavaScript escaping can be \\A (ascii) or \\xHH (hex) or \\OOO (octal)")
context.context_code = "31"
context.vulnerable_form = "<img src=\"style/images/owasp-logo_130x55.png\" onload=\"var i=??;\">"
attack = XSSAttack("Inject up to another attribute with ; | and many others")
attack.add_example("50; alert('xss3.1a')")
context.add_attack(attack)

attack = XSSAttack("Inject down with a JavaScript expression")
attack.add_example("50 + alert('xss3.1b')")
context.add_attack(attack)
rule.add_context(context)

context = XSSContext("Quoted value, common attacks are:\nNote that JavaScript escaping can be \\A (ascii) or \\xHH (hex) or \\OOO (octal)")
context.context_code = "32"
context.vulnerable_form = "<img src=\"style/images/owasp-logo_130x55.png\" onload=\"var i='??'\">"
attack = XSSAttack("Inject up to the JavaScript context with \" or ' depending on what quotes were used")
attack.add_example("dummy'; alert('xss3.2a'); var j='")
context.add_attack(attack)

attack = XSSAttack("Inject up to the containing HTML element with \">")
attack.add_example("dummy'\"><script>alert(\"xss3.2b\")</script>\"")
context.add_attack(attack)
rule.add_context(context)
all_rules.append(rule)

rule = XSSRule("RULE #4 - CSS Escape Before Inserting Untrusted Data into HTML Style Property Values", "http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.234_-_CSS_Escape_Before_Inserting_Untrusted_Data_into_HTML_Style_Property_Values")

rule.add_encoder(
    'esapi', 
    Encoder(
        "CSS escaping", 
        ESAPI.encoder().encode_for_css
    )
)
rule.add_encoder(
    'django', 
    Encoder(
        "5 character HTML entity encoding", 
        django_escape
    )
)

context = XSSContext("Unquoted Style Attribute, common attacks are:")
context.context_code = "41"
context.vulnerable_form = "<span style=??>test</span>"
attack = XSSAttack("Inject up to another attribute using whitespace characters (ASCII 9, 10, 11, 12, 13, 32)")
attack.add_example("dummy onmouseover=alert('xss4.1a')")
context.add_attack(attack)

attack = XSSAttack("Inject up to the containing HTML element with >")
attack.add_example("dummy><script>alert('xss4.1b')</script>")
context.add_attack(attack)

attack = XSSAttack("Inject down using xss:expression")
#attack.add_example("xss:expression(alert('xss4.1c'))")
#attack.add_example("xss:url(javascript:alert('xss4.1d'))")
context.add_attack(attack)
rule.add_context(context)

context = XSSContext("Quoted Style Attribute, common attacks are:")
context.context_code = "42"
context.vulnerable_form = "<span style=\"??\">test</span>"
attack = XSSAttack("Inject up to another attribute with \" or ' depending on what quotes were used")
attack.add_example("dummy\" onmouseover=\"alert('xss4.2a')\"")
context.add_attack(attack)

attack = XSSAttack("Inject up to the containing HTML element with \">")
context.add_attack(attack)

attack = XSSAttack("Inject down using xss:expression")
#attack.add_example("xss:expression(alert('xss4.2b'))")
#attack.add_example("xss:url(javascript:alert('xss4.2c'))")
context.add_attack(attack)

rule.add_context(context)
all_rules.append(rule)

rule = XSSRule("RULE #5 - URL Escape Before Inserting Untrusted Data into HTML URL Attributes", "http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.235_-_URL_Escape_Before_Inserting_Untrusted_Data_into_HTML_URL_Attributes")

rule.add_encoder(
    'esapi', 
    Encoder(
        "URL escaping", 
        ESAPI.encoder().encode_for_url
    )
)
rule.add_encoder(
    'django', 
    Encoder(
        "5 character HTML entity encoding", 
        django_escape
    )
)

context = XSSContext("Unquoted URL attribute, common attacks are:")
context.context_code = "51"
context.vulnerable_form = "<a href=??>test</a>"
attack = XSSAttack("Inject up to another attribute using whitespace characters (ASCII 9, 10, 11, 12, 13, 32)")
attack.add_example("dummy onmouseover=alert('xss5.1a')")
context.add_attack(attack)

attack = XSSAttack("Inject up to the containing HTML element with >")
attack.add_example("dummy><script>alert('xss5.1b')</script>")
context.add_attack(attack)

attack = XSSAttack("Inject down with javascript: type URLs")
context.add_attack(attack)
rule.add_context(context)

context = XSSContext("Quoted URL Attribute, common attacks are:")
context.context_code = "52"
context.vulnerable_form = "<a href=\"??\">test</a>"
attack = XSSAttack("Inject up to another attribute with \" or ' depending on what quotes were used")
attack.add_example("dummy\" onmouseover=\"alert('xss5.2a')\"")
context.add_attack(attack)

attack = XSSAttack("Inject up to the containing HTML element with \">")
attack.add_example("dummy\"><script>alert('xss5.2b')</script><a href=\"")
context.add_attack(attack)

attack = XSSAttack("Inject down with javascript: type URLs")
context.add_attack(attack)

rule.add_context(context)
all_rules.append(rule)

def get_all_rules():
    return all_rules

def get_rules_with_encoder(key):
    return filter(lambda x: x.encoders.has_key(key), all_rules)
    

